Cisco Cisco TelePresence Video Communication Server Expressway
We recommend that you upload CRL data for the CAs that sign TLS/HTTPS client and server certificates. When
enabled, CRL checking is applied for every CA in the chain of trust.
enabled, CRL checking is applied for every CA in the chain of trust.
Certificate Revocation Sources
The VCS can obtain certificate revocation information from multiple sources:
■
automatic downloads of CRL data from CRL distribution points
■
through OCSP (Online Certificate Status Protocol) responder URIs in the certificate to be checked (SIP TLS
only)
only)
■
manual upload of CRL data
■
CRL data embedded within the VCS's Trusted CA certificate file
The following limitations and usage guidelines apply:
■
when establishing SIP TLS connections, the CRL data sources are subject to the Certificate revocation
checking settings on the SIP configuration page
checking settings on the SIP configuration page
■
automatically downloaded CRL files override any manually loaded CRL files (except for when verifying SIP TLS
connections, when both manually uploaded or automatically downloaded CRL data may be used)
connections, when both manually uploaded or automatically downloaded CRL data may be used)
■
when validating certificates presented by external policy servers, the VCS uses manually loaded CRLs only
■
when validating TLS connections with an LDAP server for remote login account authentication, the VCS uses
CRL data within the Trusted CA certificate only
CRL data within the Trusted CA certificate only
Automatic CRL Updates
We recommend that you configure the VCS to perform automatic CRL updates. This ensures that the latest CRLs are
available for certificate validation.
available for certificate validation.
To configure the VCS to use automatic CRL updates:
1.
Go to Maintenance > Security certificates > CRL management.
2.
Set Automatic CRL updates to Enabled.
3.
Enter the set of HTTP(S) distribution points from where the VCS can obtain CRL files.
Note:
—
you must specify each distribution point on a new line
—
only HTTP(S) distribution points are supported; if HTTPS is used, the distribution point server itself must
have a valid certificate
have a valid certificate
—
PEM and DER encoded CRL files are supported
—
the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing multiple CRL
files
files
—
the file extensions in the URL or on any files unpacked from a downloaded archive do not matter as the VCS
will determine the underlying file type for itself; however, typical URLs could be in the format:
will determine the underlying file type for itself; however, typical URLs could be in the format:
•
http://example.com/crl.pem
•
http://example.com/crl.der
•
http://example.com/ca.crl
•
https://example.com/allcrls.zip
•
https://example.com/allcrls.gz
4.
Enter the Daily update time (in UTC). This is the approximate time of day when the VCS will attempt to update
its CRLs from the distribution points.
its CRLs from the distribution points.
5.
Click Save.
12
Cisco VCS Certificate Creation and Use Deployment Guide